Solaris 10 Directory Server Installation

Home -> UNIX -> Solaris

21477 views

From the computer of: mcdsco (5 recipes)
Created: Nov 08, 2006 Updated: Nov 16, 2006

Add a comment

Add to:

This Tech-Recipe details an installation of Directory Server 5.2 p4 from Sun Microsystems into a Solaris 10 whole-root zone. Good DS installation instructions are VERY difficult to find. Also covered are configuring systems as local LDAP clients and using the directory server to store automount maps for automatically mounting user home directories. This, I hope, introduces just the step-by-step and assumes that you have a bit of technical knowledge about such matters ...

-=Step-by-Step Sun Directory Server Installation for Solaris 10=-

This document starts with an installed Solaris 10 server and covers the installation of a Whole-Root Zone, custom configuration for the zone, the installation of sudo and some other nice to haves.

This document was created by Scott McDuff, CISSP SCSA MCSE+I TCA. Comments or questions can be sent to scott@loginbay.com. I am a freelance consultant with 20 years of consistant humbling :D

Let’s begin by downloading all of the necessary files …
Go to http://www.sunfreeware.com and download the latest version of sudo for Solaris 10.

If you want Windows authentication, you might want to download pGina from http://pgina.sourceforge.net

Go to http://www.sun.com/download to go down under the heading Identity Management and click on Directory Server. Click on Directory Server 5 2005Q4 (5.2 P4) --> Click on download --> Sign In with your Sun access account --> Accept License Agreement --> and download.

Place all of the software in the /zones/pub directory (accept for pGina of course)

Create a zone

Within the directory which will be holding the zones, create a directory called ldapserver1. In this example, I will assume that the mount point is /zones/ldapserver1). Also, create a directory to share between the global and whole-root zone. Typically I make the /zones directory a mount to a SAN or something other than mounted off the root (/). I utilize /zones/pub as a common storage area for patches and software.

# mkdir /zones/ldapserver1
# mkdir /zones/pub

Prepare a zone creation script which is called ldapserver1.zone. I typically keep this file in the directory of the zone being created (/zones/ldapserver1). Notice what your physical network interface is before hand by issuing the following command:

root@sol10globalzone# ifconfig -a

# vi /zones/ldapserver1/ldapserver1.zone
create -b
set zonepath=/zones/ldapserver1
set autoboot=true
add fs
set dir=/pub
set special=/zones/pub
set type=lofs
end
# only add if CDROM exists
add fs
set dir=/cdrom
set special=/cdrom
set type=lofs
end
add net
set address=192.168.1.XXX
set physical=pcn0 #whatever your physical interface is
end

Install the zone
# cd /zones/ldapserver1
# zonecfg –z ldapserver1 –f ldapserver1.zone
# chmod 700 /zones/ldapserver1
# zonecfg –z ldapserver1 info
# zonecfg –z ldapserver1 verify
# zoneadm –z ldapserver1 install
# zoneadm list –icv
# zoneadm –z ldapserver1 ready
# zoneadm –z ldapserver1 boot
# zlogin –C ldapserver1 --> ensure it works and then exit ...

You must have the zone configured to resolve its name through /etc/hosts or through a DNS server. Fix this first, if not using DNS, then put and entry into your /etc/hosts that looks like this:

# vi /etc/hosts
127.0.0.1 localhost loghost
192.168.1.XXX ldapserver1.domain.com ldapserver1

Reboot or restart network service …

Let’s Configure the ldapserver1

1. zlogin -z ldapserver1

2. vi /etc/passwd --> change shell from /sbin/sh to /bin/bash

3. vi /root/.profile and add custom prompt and add path
export PS1=\033[32;2m\u@\h \e[31;2m\t\n \e[30;0m\w $
PATH=$PATH:/usr/local/bin:/usr/local/sbin
:wq then su – to see changes

4. vi /etc/hosts and add all of the machines
# cat /net/<storage-machine>/jumpstart/config/hosts >> /etc/hosts

5. vi /etc/resolv.conf and change server to <ip address of dns server>

6. SUDO Setup
# gunzip /pub/sudo-1.6.8p9-sol10-sparc-local.gz
# pkgadd -d /pub/sudo-1.6.8p9-sol10-sparc-local
--> select 1 --> y --> y (add local admin user accounts by issuing
visudo command)
# groupadd -g 101 ldap
# mkdir /var/Sun
# useradd -g 101 -u 101 -c “ldap privsep” -d /var/Sun/mps -m -s /bin/bash ldap
# passwd ldap --> Password#1
# usermod -K defaultpriv=basic,net_privaddr ldap

7. Installation of iPlanet LDAP
# cd /pub
# gunzip ds* ; tar xvf ds*
# ./setup --> Enter --> Enter --> Enter --> yes

Fully Qualified Computer Name [ldapserver1.domain.com] Enter --> Enter --> Enter --> Enter --> Enter --> System User: ldap --> System Group: ldap --> Enter --> Enter --> Enter --> Enter --> Enter -->

admin Enter --> Password (twice) = Password#1 --> Enter --> Enter --> Password#1 --> Enter --> Enter --> watch progress bar ...

Enter to end installation

8. Add the following Startup script:
# vi /etc/init.d/dscontrol
   #!/sbin/sh
   #
   # Copyright (c) 2001 by Sun Microsystems, Inc
   # All rights reserved.
   #
   #ident "@(#)slapd and admin 5.2p4 09/29/06"

   case "$1" in
   start)

   /var/Sun/mps/slapd-ldapserver1/start-slapd
   /var/Sun/mps/start-admin
   ;;

   restart)

   /var/Sun/mps/slapd-ldapserver1/restart-slapd
   /var/Sun/mps/restart-admin
   ;;

   stop)

   /var/Sun/mps/slapd-ldapserver1/stop-slapd
   /var/Sun/mps/stop-admin
   ;;
   *)
   echo "Usage: $0 { start | restart | stop }"
   exit 1
   ;;
   esac
   exit 0

# chmod 755 /etc/init.d/dscontrol
# ln -s /etc/init.d/dscontrol /etc/rc3.d/S90dscontrol
# ln -s /etc/init.d/dscontrol /etc/rc1.d/K90dscontrol

9. Configuration of IDS
# cd /usr/lib/ldap
# ./idsconfig --> y
hostname to setup: ldapserver1 --> Enter --> Enter --> passwd = Password#1 --> Enter -->
Enter --> Enter --> Enter --> Enter --> Enter --> Credential level = 2 --> Authentication Methods = 2 --> another Auth Method = n --> Enter --> Enter --> crypt format = y --> Enter --> Enter --> Enter --> Enter --> Enter --> Enter --> Enter --> passwd for proxyagent = differentpasswd (twice) --> committing changes = y

Exit the ldap server completely

10. Launching LDAP GUI and adding users (from SunRay or other Sun box)
# ssh -X username@ldapserver1.domain.com
# sudo mkdir /export/home/<userid> ; chown <UID> /export/home/<userid>
# sudo /var/Sun/mps/startconsole & (is your local user in the sudoers file?)
--> Login using admin and Password#1
--> Open ldapserver1.domain.com
--> Open Server Group
--> Click on Directory Server and click on the Open button, this will launch a new window.
--> Click on the Directory Tab and Open dc=domain,dc=com
--> Open the last user created --> click on Posix User and note the UID
--> Right Click on People and select New --> User (opens a new window)
--> Fill in all of the blanks allowing the username to be first initial lastname.
--> Click on Posix user in the left sidebar menu
--> Click on Enable Posix User Attributes and enter the information, Gecos is optional information, usually I put the whole user's name like the comment field when doing useradd. --> Click the OK button.
--> Right Click on new user's name --> Edit with Generic Editor --> Click on gray area called Object class and then click on the Add Value button on the Right.
--> Within the open window, select shadowaccount and click the OK button --> and OK again to close the user window.

11. Initiating a Solaris 10 server as an LDAP Client
# Ensure that LDAP Client can resolve LDAP server name
# ssh <username>@<ldapclient>
# su -
# ldapclient init -a profileName=default \
   -a domainName=domain.com \
   -a proxyDN=cn=proxyagent,ou=profile,dc=domain,dc=com \
   -a proxyPassword=differentpasswd \
   -a defaultServerList=192.168.1.XXX (should get successfully configured)
# vi /etc/nssitch.conf --> should look like this ...

   passwd: files ldap
   group: files ldap
   hosts: files
   ipnodes: files
   networks: files
   protocols: files
   rpc: files
   ethers: files
   netmasks: files
   bootparams: files
   publickey: files
   netgroup: files ldap
   automount: files ldap
   aliases: files ldap
   services: files ldap
   printers: user files ldap
   auth_attr: files ldap
   prof_attr: files ldap
   project: files ldap

Autohome Installation within LDAP
Login in to the native LDAP (Light-Weight Directory Access Protocol) client
and perform the following steps.

1.Create an auto_master file:
root@ldapclient# vi /tmp/auto_master

# Master map for automounter
/home auto_home -nobrowse

2.Add it to LDAP database:
root@ldapclient# /usr/sbin/ldapaddent -D "cn=directory manager" -w password -f /tmp/auto_master auto_master
1 entries added

3. Create an auto_home file
root@ldapclient# vi /tmp/auto_home
# Home directory map for automounter
* nfsserver:/nfs/home/&

4. Add to LDAP database:
root@ldapclient# /usr/sbin/ldapaddent -D "cn=directory manager" -w dirmanager -f
/etc/auto_home auto_home
1 entries added

The automount maps will be stored as below in the directory server

root@ldapclient# ldaplist -l auto_master
dn: automountKey=/test,automountMapName=auto_master,o=sun.com
objectClass: automount
objectClass: top
automountKey: /home
automountInformation: auto_home -nobrowse

root@ldapclient# ldaplist -l auto_home
dn: automountKey=*,automountMapName=auto_home,o=sun.com
objectClass: automount
objectClass: top
automountKey: *
automountInformation: snoopy:/nfs/home/&

5. Start automount daemon
/etc/init.d/autofs start

6. Create a user in directory server and specify user's home directory
root@ldapclient# /usr/bin/ldapsearch -b "o=domain.com" uid=ldapuser homedirectory

uid=ldapuser,ou=people,o=domain.com
homedirectory=/home/ldapuser

7. Login as a user and automount will mount the user's home directory.

Hope you got all of that! -Scott.